$\begingroup$It does however seem unwise. In addition to whatever cipher you use you now also introduce the additional attack surface of ECC.$\endgroup$
– user10653Dec 1 '17 at 21:07

1

$\begingroup$@dingrite Actually I can see the point of doing this. For example consider a smartcard / HSM with an ECDH engine (which would provide you with eg a CDH oracle) but without a symmetric keystore. You can then use this HW device to hardware-enforce your "symmetric" key(s).$\endgroup$
– SEJPM♦Dec 1 '17 at 21:31

$\begingroup$Is it required to input a salt or something similar as used in static-static DH key agreement? It seems to me that you would otherwise always derive the same secret.$\endgroup$
– Maarten Bodewes♦Dec 2 '17 at 0:41